Two Russian APT groups are exploiting a WinRAR flaw patched nearly a year ago to hit Ukraine

TL;DRTwo FSB-linked groups exploit a WinRAR bug patched in July 2025 to steal Ukrainian credentials. The patch exists but adoption remains slow.

Two Russian state-linked hacking groups are actively exploiting a path traversal vulnerability in WinRAR that was patched nearly a year ago, using it to deploy credential-stealing malware against Ukrainian government and military targets, according to research published by Trend Micro. The flaw, tracked as CVE-2025-8088 and rated 8.4 on the CVSS scale, allows attackers to abuse NTFS Alternate Data Streams to hide malicious payloads inside archive files that appear harmless to the recipient. The patch shipped in WinRAR 7.13 on 30 July 2025, but active exploitation began at least 12 days earlier, and the two groups are still using it because WinRAR remains deeply embedded in Ukrainian organisations and update adoption has been slow.

Gamaredon, the FSB-linked group that Trend Micro tracks as Earth Dahu, is using the vulnerability as the entry point for a multi-stage infection chain. The attack begins with a spear-phishing email containing a weaponised RAR archive that exploits CVE-2025-8088 to drop an HTA file, which executes a VBScript loader called GammaPhish. That loader downloads GammaLoad, a backdoor that establishes persistence and fetches GammaSteel, the group’s primary tool for exfiltrating documents and screenshots from compromised machines.